Unified Diff: lib/compat.js
Issue 29377825:
Issue 4951 - Restrict request headers in XMLHttpRequest.Also test Accept-Encoding with th… (Closed)
Base URL: https://hg.adblockplus.org/libadblockplus/
Patch Set: Updated based on the feedback.
Created March 8, 2017, 4:15 a.m.
Use n/p to move between diff chunks;
N/P to move between comments.
« no previous file with comments
|
« no previous file
|
test/WebRequest.cpp » ('j')
|
test/WebRequest.cpp » ('J')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')
| Index: lib/compat.js |
| =================================================================== |
| --- a/lib/compat.js |
| +++ b/lib/compat.js |
| @@ -292,16 +292,51 @@ XMLHttpRequest.prototype = |
| _loadHandlers: null, |
| _errorHandlers: null, |
| onload: null, |
| onerror: null, |
| status: 0, |
| readyState: 0, |
| responseText: null, |
| + // list taken from https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name |
| + _forbiddenRequestHeaders: { |
| + "accept-charset": true, |
| + "accept-encoding": true, |
| + "access-control-request-headers": true, |
| + "access-control-request-method": true, |
| + "connection": true, |
| + "content-length": true, |
| + "cookie": true, |
| + "cookie2": true, |
| + "date": true, |
| + "dnt": true, |
| + "expect": true, |
| + "host": true, |
| + "keep-alive": true, |
| + "origin": true, |
| + "referer": true, |
| + "te": true, |
| + "trailer": true, |
| + "transfer-encoding": true, |
| + "upgrade": true, |
| + "via": true, |
| + }, |
| + _forbiddenRequestHeadersRe: new RegExp("^(Proxy|Sec)-", "i"), |
| + |
| + _isRequestHeaderAllowed: function(header) |
| + { |
| + if (this._forbiddenRequestHeaders.hasOwnProperty(header.toLowerCase())) |
| + return false; |
| + if (header.match(this._forbiddenRequestHeadersRe)) |
| + return false; |
| + |
| + return true; |
| + }, |
| + |
| addEventListener: function(eventName, handler, capture) |
| { |
| var list; |
| if (eventName == "load") |
| list = this._loadHandlers; |
| else if (eventName == "error") |
| list = this._errorHandlers; |
| else |
| @@ -375,17 +410,20 @@ XMLHttpRequest.prototype = |
| { |
| }, |
| setRequestHeader: function(name, value) |
| { |
| if (this.readyState > 1) |
| throw new Error("Cannot set request header after sending"); |
| - this._requestHeaders[name] = value; |
| + if (this._isRequestHeaderAllowed(name)) |
| + this._requestHeaders[name] = value; |
| + else |
| + console.warn("Attempt to set a forbidden header was denied: " + name); |
| }, |
| getResponseHeader: function(name) |
| { |
| name = name.toLowerCase(); |
| if (!this._responseHeaders || !this._responseHeaders.hasOwnProperty(name)) |
| return null; |
| else |
« no previous file with comments
|
« no previous file
|
test/WebRequest.cpp » ('j')
|
test/WebRequest.cpp » ('J')
